Upload
mansoor-faridi-cisa
View
255
Download
4
Tags:
Embed Size (px)
Citation preview
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State
International Standards to Regulate Aggressive Cyber-behaviour from a Foreign State
Mansoor Faridi
Fort Hays State University
May 10, 2015
Author Note
Mansoor Faridi, Department of Informatics, Fort Hays State University.
Mansoor Faridi is a graduate student at Fort Hays State University specializing in
Information Assurance Management. He lives in Toronto, Canada where he manages the
Compliance function for a major Canadian Financial Institution.
This position paper is a deliverable for Public Policy, Law, and Ethics in Informatics (INT610) course.
Correspondence concerning this paper should be addressed to Mansoor Faridi.
Contact: [[email protected]]
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State ii
Table of Contents
Abstract .......................................................................................................................................1
Introduction ..................................................................................................................................2
Regulation of Foreign State’s Aggressive Cyber-behavior .........................................................3
Background …………………………………………………………………………… ..3
Significance ……………………………………………………………………………..4
Present Frameworks Regulating Aggressive Cyber-behavior ......................................................5
Problem Definition ……………………………………………………………………...5
Current Status ...................................................................................................................6
Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior .......10
Challenges ......................................................................................................................10
Roadmap ........................................................................................................................12
Conclusion ................................................................................................................................14
References ..................................................................................................................................16
Appendices
Appendix A – Cyber-attack representations
Appendix B – Examples of recent incidents of nations' cyber warfare
Appendix C – Cyber-attacks on various Nations (by category)
Appendix D – Estimates cost of cybercrimes in U.S. and Globally
Appendix E – Model to develop global standards regulating aggressive cyber-behavior
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 1
Abstract
Where technological advancements have improved our quality of life, it has also exposed us to
previously unknown threat vectors, such as, aggressive cyber-behaviour from a foreign State.
This significant issue has materialized in the form of huge financial losses (and otherwise), and
disruption of critical service provision. The main reason behind this problem is owing to absence
of international standards regulating foreign State’s aggressive cyber-behavior. The global
community has failed to develop a united front to develop and implement effective solutions to
tackle this issue proactively. Some global and regional organizations have developed frameworks
that also fail to address this issue fully, as their scope is domestic, focussing on individuals’
cyber-behaviour (as opposed to State), and solutions are theoretical in nature with no provisions
defining investigation and prosecution mechanism. Since the rules of engagement of modern
cyber-warfare are different than conventional military conflict, therefore, nations need to take
this distinction into consideration when approaching the issue. Another important aspect is
codification of international standards including the definition of scope, jurisdiction, forensic
procedures, resources, investigative and prosecution authorities. This difficult feat is possible
with mutual cooperation, active involvement, and maintaining compliance (by member nations)
with these international standards regulating foreign state’s aggressive cyber-behavior.
Keywords: best practices, coe, continuous improvement, cyber-hacktivism, cyber-law, cyber-
terrorism, cyber-warfare, impact, interpol, nato, jurisdiction, sovereign, united nations, wegener
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 2
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State
Mansoor Faridi
Fort Hays State University
Introduction
This position paper supports the argument that ‘there exists an imminent need to develop
and implement international standards to regulate aggressive cyber-behavior from foreign State.’
First section provides background and significance of the issue, illustrates the magnitude
of this problem with examples of sovereign nations attacking each other in cyber-space,
concluding with estimates of financial losses incurred due to this aggressive cyber-behavior.
Second section describes the issue in detail along with a description of frameworks
developed by various global organizations to regulate cyber-behavior. However, all frameworks
lack in scope (focus on regulating individuals’ cyber-behavior as opposed to that of the State),
and intent (theoretical in nature without defining jurisdiction and prosecuting authorities).
Third section lists and discusses major challenges hindering the development and
implementation of the aforementioned global standards; it also provides some recommendations
along with a roadmap to design, develop, and implement global standards. The section concludes
by detailing an overall approach emphasizing collaborative engagement and launching of this
initiative through globally recognized platforms, with respected world bodies supporting
investigation and prosecution mechanisms.
This position is based on an overall approach in a global context where centralized
institutions are responsible for designing, developing, implementing, regulating, prosecuting, and
enforcing international standards. The approach has been inspired by industry best practices and
global standards and frameworks with a focus on continuous improvement to keep the standards
agile, relevant, and up-to-date!
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 3
Regulation of Foreign State’s Aggressive Cyber-behavior
In my opinion, there is an imminent need to design, develop and implement robust,
effective, and comprehensive international standards to regulate aggressive cyber-behavior
instigated by a foreign nation state against another entity, such as another state, organization,
person, etc. These standards should be supported by an international body (such as the United
Nations, Interpol, etc.) to ensure its legal enforcement and effective implementation on a global
scale. The sub-sections below describe the background and significance of this issue.
Background
In traditional warfare, strategic objectives are realized by executing offensive maneuvers.
This cripples a nation by inflicting damage to its airfield, ports, roads, ordnance depot, defense
and communication capabilities, etc. However, with technological advancements, the focus has
shifted to a more sophisticated mode of warfare, which is equally lethal but entirely virtual
[emphasis added] in nature (See Figure 1, Passeri, 2015). This is eloquently summed up by Noah
Feldman (2015), Harvard Law professor, “Cyber- attacks … as a strategic matter … do not differ
fundamentally from older tools of espionage and sabotage.” In fact, cyber-warfare is politically
motivated hacking to conduct sabotage and cyber espionage (Cyberwarfare, 2015;
See Appendix A, Chart A).
The change in venue where the ‘war’ is being fought has led to a paradigm shift. This
aggressive cyber-behavior is akin to cases of road-rage. Fortunately, we have traffic laws to deal
with such menace; however, we do not have a holistic set of international standards regulate
aggressive cyber-behavior from foreign State actors. This is defined as “attacks or series of
attacks on critical information carried out by terrorists and instills fear by effects that are
disruptive or destructive and has a political , religious and ideological motivation” (Schjolberg,
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 4
2007, p. 2). Table 1 below illustrates recent examples of cyber-attacks instigated by sovereign
nations on other nations and entities (See Appendix B for details; Cyberwarfare, 2015).
Table 1
Instances of nations’ cyber-warfare
Next sub-section highlights the gravity and impact of cyber-crimes supported by
statistics, and signifies how cyber-crimes expose the vulnerabilities of our data and information,
as it relates to its privacy, security, integrity, and availability.
Significance
Through cyber-warfare, nations (or proxy agents acting on their behalf) try to gain illegal
access to data and information, in order to sabotage, conduct espionage, harm critical
infrastructure, assets, and disrupt mission critical operations (Awan, 2010, p. 6); resulting in
significant financial losses, tarnished reputations, and even leading to total financial collapse.
According to the InfoSec Institute (2013), estimated total global losses owing to cyber-
crimes ranged from $300 billion to $1 trillion (See Table 2, McAfee, 2013, p. 4); which equates
to a noticeable percentage of 0.4% to 1.4% of the world’s GDP! (See Appendix D)
The magnitude of this problem, signified by the troubling statistics, is sufficiently
alarming to trigger immediate response by policy makers globally (Wegener, 2014, p.2). If an
issue of such paramount importance is not proactively tackled and addressed by developing
policies and standards, then it will put us at a disadvantage to effectively combat cyber-
warfare/cyber-terrorism instigated by rogue nations. According to Passeri (2015), the most
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 5
cyber-attacked countries are U.S., U.K., and Australia, respectively. However, in March 2015,
U.S. was the subject of most cyber-hacktivism attacks worldwide (See Appendix C).
In case of inaction, rogue states will continue to exhibit aggressive cyber-behavior,
inflicting damage on other states without any threat of a retaliatory response; and the biggest
loser in all this will be the general public, as they rely on their respective countries for provision
of various services that are supported by critical infrastructure that is vulnerable to these threats.
It is comforting to know that United States and United Nations have taken several steps in the
right direction to address this issue head-on, which forms the topic of discussion in the next
section. It is high time that a mechanism is established, as echoed by Leon Panetta (CIA
Director, 2009 - 2011), “it was vital for the organization to be one step ahead of the game when
it comes to challenges like cyber space security.” (Defence, 2010)
Present Frameworks Regulating Aggressive Cyber-behavior
Though the extent of losses is not fully quantified, however there is ample evidence
available (See Appendix D) to estimate the extent of losses, and to determine major sources of
threats emanating from certain rogue nations (See Appendix B) - what also remains unclear is
the absence of repercussions (Hathaway et al., 2011, p. 52) in current international legal
frameworks to deter nations from engaging in this aggressive cyber-behavior. The following sub-
sections describe the problem, analyzing the frameworks by examining their shortcomings.
Problem Definition
Presently, comprehensive international standards do not exist, and some frameworks that
do exist fail to address the issue of cyber-aggression perpetrated by a sovereign state, but rather
by individuals. To date, satisfactory steps have not been taken to design and implement
international standards effectively combatting foreign states’ aggressive cyber-behavior. Next
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 6
sub-section describes various frameworks developed to date, and why they failed to regulate
foreign state’s aggressive cyber-behavior.
Current Status
International standards are drafted by various entities based on the premise afforded by
international laws. Presently, the international law of countermeasures does not define when a
cyber-attack is unlawful, nor does it clearly differentiate between the instigator as an individual
or a sovereign state. It simply provides that when a State commits an international law violation,
an injured State may respond with a reciprocal act. In the cyber-attack context, injured State may
employ active defenses as reciprocal countermeasures, in which injured State ceases obeying the
same or a related obligation to the one the responsible State violated. The challenges to such a
response is firstly to identify attacker’s identity, as it may not be a State but a proxy working on
its behalf. Secondly, it is difficult to deploy countermeasures to only injure the actor that
perpetuated the attack. For these reasons, the customary law of countermeasures offers only a
partial answer to the problem of sovereign cyber-attacks (Kanuck, 2010, p. 1586; Hathaway et
al., 2011, pp. 45-47).
However, some mechanisms (listed below) have been developed to regulate aggressive
cyber-behavior (Hathaway et al., 2011, p. 48) of individuals, which can be extended to sovereign
states as well after revising their scope and modifying the overall intent.
The United Nations: Headquartered in Cyberjaya, Malaysia, the International Multilateral
Partnership Against Cyber Threats (IMPACT) was created in 2008 (IMPACT, 2015) with
United Nations support to serve as a politically neutral global platform that brings
together governments of the world, industry and academia to enhance the global
community’s capabilities in dealing with cyber threats. With a total of 152 member
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 7
states, IMPACT coordinates its partners’ resources to fight cyber-crimes that go beyond
political borders. IMPACT provides research and training services, policy planning, and
cyber-intelligence gathering & sharing with its partners, however, it lacks any
prosecution and/or enforcement authority. It can be concluded that at present, United
Nations role vis-a-vis cyber-security remains largely limited to facilitating discussions
and information sharing among member states, failing to address the issue at hand.
North Atlantic Treaty Organization (NATO): In 2008, a NATO summit prompted the
creation of two new NATO divisions focused on cyber-attacks: the Cyber Defense
Management Authority and the Cooperative Cyber Defense Centre of Excellence
(Hathaway et al., 2011, pp. 50-51).
The Cyber Defense Management Authority aims to centralize cyber-defense
capabilities across NATO members. Due to lack of publicly available information, it is
speculated that the Authority is believed to possess “real-time electronic monitoring
capabilities for pinpointing threats and sharing critical cyber intelligence in real-time”,
with the ultimate goal of becoming an operational war room for cyber-defense.
The Cooperative Cyber Defense Centre of Excellence aspires to “advance the
development of long-term NATO cyber defense doctrine and strategy.” In conflict with
NATO's Article 5, member states do not feel compelled, and are not bound, to "assist”
each other in case of a cyber-attack on any member state.
NATO’s creation of these two divisions represents the recognition of the problem
and a tangible step in the right direction; however, both divisions lack any prosecution
and/or enforcement authority to deter aggressive cyber-behavior by a sovereign state.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 8
The Council of Europe: In 2001, the Council of Europe promulgated a common criminal
policy aimed at the protection of society against cybercrime, through legislation and
international cooperation (Council, 2015). The rules of this framework do not appear to
apply to government actions, whether taken for law enforcement or national security
purposes. Member states have implicitly ensured full cooperation during investigation
and/or prosecution, however, the most developed international legal framework voids
itself by ignoring ‘government actions’, and hence fails to serve as a deterrent.
The Organization of American States: The Organization of American States (OAS) aims
to build and strengthen cyber-security capacity in the member states through technical
assistance and training, policy roundtables, crisis management exercises, and the
exchange of best practices related to information and communication technologies. In
2004, OAS approved the creation of a cyber-security program to build cyber security
capacity in OAS member states, recognizing that the responsibility for securing
cyberspace lies with a wide range of national and regional entities from the public and
private sectors working on both policy and technical issues. The main objectives focus
around developing threat identification and mitigation capabilities, timely communication
to all member states, and strategic planning activities supported by all member states
(OAS, 2015).
Again, OAS’ cyber security program fails to formalize prosecution mechanism to
criminalize and prosecute illegal/aggressive cyber-behavior from a sovereign state.
The Shanghai Cooperation Organization: In its Yekaterinburg Declaration of June 16,
2009, member states have recognized the significance of cyber-security issues but have
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 9
not formalized any concrete actions. The absence of any framework and standards
renders this initiative invalid when combating sovereign state’s cyber aggression.
INTERPOL: INTERPOL is committed to becoming a global coordination body on the
detection and prevention of digital crimes through its INTERPOL Global Complex for
Innovation (IGCI), currently being constructed in Singapore. This new center provides
proactive research into new areas and latest training techniques, and coordinates
operations in the field (INTERPOL, 2015). INTERPOL supports operations by local law
enforcement agencies by providing subject matter expertise and forensic support.
INTERPOL does not clearly spell out any frameworks, standards and/or
mechanisms through which it can support successful prosecution of a rogue State in any
world body, such as, the International court of Justice (ICJ, 2015). Therefore, despite
their noble intentions, they have failed to address the issue at hand.
United States: The United States Cyber Command (USCYBERCOM) is a United States
armed forces sub-unified command subordinate to United States Strategic Command.
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to:
direct the operations and defense of specified Department of Defense information
networks, conduct full spectrum military cyberspace operations in order to enable actions
in all domains, and ensure US/Allied freedom of action in cyberspace and deny the same
to their adversaries (Cyberwar in the U.S., 2015).
USCYBERCOM’s approach is clearly offensive in nature from a military
perspective. Its main aim is to attack and cripple the enemy state's capability from
launching any further cyber-attacks on the United States. This unilateral strategy is also
missing the elements of design and implementation of international standards to regulate
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 10
cyber-behavior, but rather to punish any cyber-aggression with an equally proportionate
response.
Other agencies, including the Federal Communications Commission (FCC), have
also regulated various cyberspace aspects with a domestic scope, failing to define and
address global jurisdiction and standards.
In summary, the efforts described above by the respective organizations have been
theoretical in nature - mostly focusing on research and development, policy planning, serving as
centers of excellence, being a facilitator, etc. Aforementioned organizations have failed to
establish a comprehensive legal framework and standards required for effective governance and
regulation of foreign state’s aggressive cyber-behavior. Next section discusses the challenges in
developing and implementing global standards that will deter foreign states’ aggressive cyber-
behavior, along with a roadmap to design, develop and implement effective international
standards that none of the above entities have developed thus far.
Developing and Implementing Global Standards Regulating Aggressive Cyber-behavior
This section describes and explains major challenges behind developing and
implementing global standards, along with a recommended roadmap to achieve this task.
Challenges
Following is a list of challenges hindering development and implementation of global
standards (Shinder, 2011) to regulate aggressive cyber-behavior from a foreign state:
Lack of standards: At present, there are no local and/or global standards developed and
implemented to regulate aggressive cyber-behavior of state actor.
Forensics: Due to sheer complexity and virtual nature of the crime, standards to collect,
sanitize, and analyze forensic evidence, has not been determined.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 11
Establishing identity: Cyber-criminals operate under false identities which can be
undetected, but there are no standards developed to identify the culprit accurately.
Jurisdictional issues: Traditional subjective doctrine does not hold as there are no clearly
marked boundaries during the commission of cyber-crime, which crosses political
boundaries. Nations can determine the exact location of Internet activity to a certain
extent by assigning Internet Protocol (IP) addresses and Domain Name Server (DNS)
addresses to computers that coincide with their physical addresses, but cyber-terrorists
can easily evade this identification system by masking their origin. The Victim State may
base their prosecution (before international courts) on the principle of universal
jurisdiction, however, this has been contested by many jurists and one of its significant
limitations is that cyber-terrorists cannot be prosecuted preventively. The potential
Victim State must wait for the crime to occur, and then prosecute (Stockton & Goldman,
2014, pp. 231-250).
Compliance: There is no law or regulation forcing countries to comply with certain
standards or best practices. Countries can operate aggressively in the cyber landscape
without any threat of punitive actions. Some countries have even gained notoriety by
providing safe haven to hackers who operate on their behalf.
Thus far, nations have not displayed a collective will to tackle the aforementioned
challenges in order to develop global standards that will deter rogue states from committing
cyber-crimes against other nations. Next sub-section provides some practical approaches to
develop and implement a mutually-agreed upon set of global standards.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 12
Roadmap
Following suggested roadmap (Figure 1) can help with designing global standards to
regulate aggressive cyber-behavior, along with recommendations to implement those standards.
This roadmap is approached by keeping industry best practices and various program developm-
ent methodologies in view, with a specific focus on continuous improvement (See Appendix E).
Figure 1. Proposed model to develop and implement international standards vis-à-vis cyber-behavior
Consensus building: In this preliminary stage, states should recognize the need for mutual
cooperation, recognize the issue that we are all confronted with, and with collective
determination, work jointly in defining, developing, and implementing global standards
to regulate foreign states’ aggressive cyber-behavior.
Global body creation: In this stage, all states must mutually agree to create a regulatory
body with the power to enforce and prosecute aggressive cyber-behavior of a rogue
nation. This should be formalized in policies, framework, and international standards.
Ownership: In this stage, states should develop internal policies and procedures to play an
active role in the ‘global body’ and submit themselves to the decisions of this body.
States should also allocating resources and maintain compliance at all times.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 13
Design & development of tools: In this stage, Global body should leverage best practices
to design and develop tools. These tools will support proposed universal framework and
international standards to regulate aggressive cyber-behavior from a foreign state.
Development of procedures and processes: In this stage, procedures and processes should
be documented to operationalize international standards. The most important aspect of
these documents will be to define the scope, prosecution authority, logistics, and
functional & administrative ownership. Defining these aspects clearly should take away
the ambiguity that surrounds forensics, identity issues, and jurisdictional issues.
Jurisdiction and logistics: Even though this has been touched upon in the last step, but the
success of this exercise hinges on proper definition of jurisdiction and scope, therefore, it
warrants a policy document clearly detailing matters regarding scope, jurisdiction, and
enforcement mechanism. It should also define prosecution authorities (e.g. ICJ) and
policing accountabilities (e.g. INTERPOL) for those jurisdictions (on a rotating basis),
allocation of resources, and periodicity around periodic review of this critical document.
Monitor and control: In this stage, the overall monitoring and controlling aspects should
be defined. All violations should be identified, logged, addressed; and reviewed on a
periodic basis. These records will also enable investigators to perform analysis to
determine recurring trends, anomalies and outliers. The Global body should publish
reports highlighting topics of significant public interest and areas of concern.
Continuous improvement: In this crucial stage, the Global body will be in an excellent
position to advance its Research and Development (R&D) interests by leveraging other
member states and also serve as a Center of Excellence on matters relating to standards
for cyber security issues, research, advisory, best practice sharing, etc. All of these
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 14
activities will enable continuous improvement of this mode, and of the standards
themselves.
Conclusion
This position paper is in support of the position that there lies an imminent need to
develop and implement international standards to regulate aggressive cyber-behaviour of a
foreign State. At the hand of rogue nations' aggressive cyber-activities, various countries have
suffered enormous financial losses, with estimates ranging from $300 billion to $1 trillion.
The significance and scope of this problem has been realized by various world bodies,
resulting in varied responses. All proposed solutions have been theoretical, lacking concrete
actions vis-a-vis defining global standards, jurisdiction, and prosecution mechanisms. Also, all of
these solutions are geared toward regulating individual cyber-behavior within prescribed political
boundaries, as opposed to regulating sovereign state’s aggressive cyber-behavior.
Cyber-warfare’s rules of engagement are also different that of a conventional conflict,
and thus, cyber-warfare’s rules remain to be formalized. In addition, the common challenges
faced, when developing these international standards, is the lack of focus around jurisdictional
definition and authority, lack of scope definition, forensic complexities, culprit's identity
establishment issues, and general lack of will toward forming international standards.
The key to coming up with effective international standards lies in countries launching
this initiative from a globally recognized and respected platform (e.g. UN), developing a
consensus through policy planning, allocating resources for the initiative, decide mutually-agreed
upon deliverables, assign investigative bureau (e.g. INTERPOL), nominate prosecuting body
(e.g. ICJ), take joint ownership of this initiative on a continuing basis, and most importantly,
maintain full compliance themselves with the international standards at all times.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 15
Moving forward, with the global paradigm shift (Ophardt, 2010, pp. 3-4) in the
commission of state-committed (or state-sponsored) cyber-crimes and aggressive cyber-
behaviour, global institutions (such as the United Nations, the International Court of Justice, and
INTERPOL) have a major role to play to hold aggressive parties accountable for their actions,
and to promote progress towards developing international standards, building consensus, and
developing mechanisms to serve justice to Victim States (Glennon, 2013, pp. 569-570). Due to
the dynamic nature of this issue, any solution will always be a work in progress as emerging
challenges are addressed, and corresponding solutions appended into the framework.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 16
References
Ashford, W. (February 13, 2015). Data Breaches up by 49% in 2014. ComputerWeekly.com.
Retrieved from http://www.computerweekly.com/news/2240240346/Data-breaches
-up-49-in-2014-exposing-more-than-a-billion-records
Awan, I. (2014). Debating the term cyber-terrorism: Issues and problems. Internet Journal of
Criminology. Retrieved from http://www.internetjournalofcriminology.com/Awan_
Debating_The_Term_Cyber-Terrorism_IJC_Jan_2014.pdf
Council of Europe. (2015). Standards: the convention and its Protocol. Retrieved from
http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp
Cyberwarfare. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberwarfare
Cyberwarfare In the United States. (2015). In Wikipedia. Retrieved from http://en.wikipedia.org/
wiki/Cyberwarfare_in_the_United_States
Defence IQ. (2010, May 26). CIA, US Military Step Up Cyber Space Security Strategies.
Retrieved from http://www.defenceiq.com/defence-technology/articles/cia-us-military-
step-up-cyber-space-security-strat/
Feldman, N. (2015). Brainy Quote. Retrieved from http://www.brainyquote.com/
quotes/keywords/cyber.html
Glennon, M. (2013). The dark future of international cybersecurity regulation. Journal of
National Security Law & Policy, 4, 563-570. Retrieved from http://jnslp.com/wp-c
ontent/uploads/2013/04/The-Dark-Future-of-International-Cybersecurity-Regulation.pdf
Hathaway, O., Crootof, R., Levitz, P., Proctor, H., Nowlan, E., Perdue, W., Spiegel, J. (2011).
The Law of Cyber-Attack. Yale Law & Economics Research Paper No. 453, 100 (4), 1-
76. Retrieved from http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 17
IMPACT. (2015). Mission & Vision. Retrieved from http://www.impact- alliance.org/
aboutus/mission-&-vision.html
InfoSec Institute. (2013). 2013 - The impact of cybercrime. Retrieved from
http://resources.infosecinstitute.com/2013-impact-cybercrime/
INTERPOL. (2015). Cybercrime. Retrieved from http://www.interpol.int/ Crime-areas/
Cybercrime/Cybercrime
ICJ. (2015). Jurisdiction. Retrieved from http://www.icj-cij.org/jurisdiction/index.php?p1=5
Kanuck, S. (2010). Sovereign discourse on cyber conflict under international law, Texas Law
Review, 88, 1570-1597. Retrieved from https://www.law.upenn.edu/institutes/cerl/
conferences/cyberwar/papers/reading/Kanuck.pdf
McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from
http://www.mcafee.com/ca/resources/reports/rp-economic- impact-cybercrime-
summary.pdf
OAS. (2015). Cyber-security program. Retrieved fromhttps://www.sites.oas.org/
cyber/en/Pages/default.aspx
Ophardt, J. (2010). Cyber warfare and the crime of aggressions: The need for individual
accountability on tomorrow's battlefield. Duke Law & Technology Review, 9(2), 1-27.
Retrieved from http://scholarship.law.duke.edu/dltr/vol9/iss1/2
Passeri, P. (2015, April 13). March 2015 Cyber Attacks Statistics. Retrieved from
http://hackmageddon.com/category/security/cyber-attacks-statistics/
Schjolberg, S. (2007). Terrorism in Cyberspace - Myth or reality?. Retrieved from
http://www.cybercrimelaw.net/documents/Cyberterrorism.pdf
Shinder, D. (2011, January 26). What makes cybercrime laws so difficult to enforce. Tech
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 18
Republic. Retrieved from http://www.techrepublic.com/blog/it-security/what-makes-
cybercrime- laws-so-difficult-to-enforce/
Stockton, P., Goldman, M., (2014). Prosecuting cyberterrorists: Applying traditional
jurisdictional frameworks to a modern threat. Stanford Law & Policy Review, 25, 211-
268. Retrieved from https://journals.law.stanford.edu/sites/default/files/stanford- law-
policy-review/print/2014/06/stockton_goldman_25_stan._l._poly_rev._211.pdf
Wegener, H. (2014). Regulating Cyber Behaviour: Some Initial Reflections on Codes of Conduct
and Confidence-Building Measures. Retrieved from https://www.unibw.de/infosecur/
publications/individual_publications/wegener_regulating_cyber_behaviour_paper_2014
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 19
Appendix A
Cyber-attack Representations
Chart A – Distribution of Cyber-attack targets
Chart B – Distribution of Cyber-attack techniques
Chart C – Distribution of Cyber-attack (by industry)
Chart D – Distribution of Cyber-attack (by Org.)
Note: Above pie charts represent cyber-attack target distribution, cyber-attack techniques employed to infiltrate the target organizations, categorization of industries affected by these
cyber-attacks, and types of organizations attacked.
Source: http://hackmageddon.com/author/paulsparrow s/
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 20
Appendix B
Examples of recent incidents of nations' cyber warfare
2014 North Korea hacked SONY Pictures Entertainment
The cyber-attack on Sony Pictures Entertainment by a state-sponsored group called the Guardians of Peace
resulted in a canceled movie release (at least for a little while), leaked personal information, and apologies
from Hollywood executives caught in embarrassing e-mail conversations.
2012 Iran (via proxy) attacks US energy interest and ally
Forensic investigation revealed that virus (named Shamoon) was brought in on a USB drive and planted in
the network by an authorized Aramco user. This compromised and disrupted more than 75% of networked
computers (30,000) affecting world’s largest oil and gas producer’s production.
2010 US & Israel attack Iranian nuclear facility
New York Times reported that the US along with Israel was responsible for Stuxnet computer virus that was
used to destroy centrifuges in an Iranian nuclear facility in 2010.
2010 Indian-sponsored group hacks Pakistani websites
A group calling itself the Indian Cyber Army hacked the websites belonging to the Pakistan Army and other
government ministries to avenge Mumbai attacks.
2010 Britain cautioned against cyber threats from ‘hostile’ states
Britain’s internal agency warned against cyber threats from hostile states and criminals.
2009 North Korea attacks South Korea & USA
A series of coordinated denial of service attacks against major government, news media, and financial
websites in South Korea and the United States. While many thought the attack was directed by North Korea,
one researcher traced the attacks to the United Kingdom.
2007 Israel attacks Syria
Israel carried out an airstrike on Syria dubbed Operation Orchard. U.S. industry and military sources
speculated that the Israelis may have used cyber-warfare to allow their planes to pass undetected by radar
into Syria.
2007 Russia attacks Estonia
Estonia came under cyber-attack in the wake of relocation of the Bronze Soldier of Tallinn. The largest part
of the attacks were coming from Russia and from official servers of the authorities of Russia. In the attack,
ministries, banks, and media were targeted. This attack on Estonia, a seemingly small Baltic nation, was so
effective because of how most of the nation is run online.
2006 Israel (via proxies) attacks Hezbollah
Israel alleges that cyber-warfare was part of the conflict, where the Israel Defense Forces (IDF) intelligence
estimates several countries in the Middle East used Russian hackers and scientists to operate on their behalf.
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 21
Appendix C
Cyber-attacks on various Nations (by category)
Note. CC=Cybercrime, H= Hacktivism, CE= Cyber Espionage, CW=Cyber Warfare
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 22
Appendix D
Estimated cost of cybercrime in US and Globally (As of November 2013)
International Standards to Regulate Aggressive Cyber-behavior from a Foreign State 23
Appendix E
© 2015. Mansoor Faridi. All rights reserved.
The above model is inspired to develop and implement international standards vis-à-vis
aggressive cyber-behavior of a foreign state. The inspiration behind this approach is
based on research materials produced by global organization, industry best practices,
global frameworks, and international standards pertaining to quality assurance as
follows: ISO 27000x, Capability Maturity Model Integration (CMMI) for Development
Ver. 1.3, NIST, InfoSec Institute publications, ISACA publications, FCC publications,
etc.
The focus is on developing a mutually-agreed upon consensus and then on
continuous process improvement of the deliverables as the solution matures and
lessons are learned.