Developments and Revelations Concerning Cybersecurity and Cyberspace

June 20, 2012 Volume 16, Issue 22

Recent Developments and Revelations Concerning Cybersecurity and

Cyberspace: Implications for International Law

By David P. Fidler

Introduction

In recent weeks, media reports have addressed actions, discoveries, and controversies relating to cybersecurity and cyberspace that have implications for international law, including war,espionage, terrorism, and crime in cyberspace and the architecture and governance of the Internet. This Insight describes these episodes and analyzes their importance for the relationship between international law and cybersecurity and cyberspace.

Developments and Revelations Concerning Cybersecurity and Cyberspace

Origins of Stuxnet

On June 1, 2012, David Sanger of the New York Times reported that the United States and

Israel developed the Stuxnet computer worm and used it to attack Iran’s uranium enrichment facilities.[1] When discovered in 2010, experts considered Stuxnet to be a “game changing” cyber weapon because of its complexity, purpose, and performance. The

Stuxnet worm exploited unknown vulnerabilities in Windows software,[2] targeted industrial control systems at Iran’s enrichment facilities,[3] and reportedly damaged over 1,000 centrifuges and disrupted Iran’s enrichment efforts.[4] The complexity and nature of the attack led many to suspect that a state, most likely the United States and/or Israel, created Stuxnet. Sanger appeared to confirm this suspicion, revealing that the Stuxnet project, code-named “Olympic Games,” began during the George W. Bush administration and accelerated under President Barack Obama.[5]

The Flame Virus

In late May 2012, experts discovered a computer virus dubbed “Flame.”[6] Unlike Stuxnet, Flame operated as an espionage tool because it infiltrated computers and exfiltrated to the international community. The American Society of International Law

does not take positions on substantive issues, including the ones discussed in this Insight. Educational and news media copying is permitted with due acknowledgement. The Insights Editorial Board includes: Cymie Payne, UC Berkeley School of Law; Amelia Porges; and David Kaye, UCLA School of Law. Djurdja Lazic serves as the managing editor. information from them. As such, experts believe that a government or governments created Flame to spy on other countries. This large and complex virus was predominantly found in computers in the Middle East, with Iran being particularly affected. Some information indicated that Flame had been operating for years before detection and shared some code with early versions of Stuxnet.[7] The Iran and Stuxnet aspects encouraged speculation that the United States and/or Israel were responsible for Flame.[8] Although cyber espionage is not a new problem,[9] Flame garnered international attention, including an alert from the International Telecommunications Union (“ITU”) and assertion by the ITU’s cybersecurity coordinator that Flame constituted “a much more serious threat than Stuxnet.”[10]

U.S. Cyber Activity Against Al-Qaeda Web Sites

On May 23, 2012, Secretary of State Hillary Clinton described U.S. efforts to alter information on web sites used by al-Qaeda’s affiliate in Yemen.[11] This State Departmentled, interagency activity sought to discredit terrorist use of the Internet. Terrorists have not demonstrated interest in launching cyber attacks, but they use the Internet for recruiting and other purposes. Although described in press reports as “hacking” or “cyber war,”[12] the State Department apparently altered and re-posted recruiting ads that appeared on al- Qaeda web sites in ways that described the toll al-Qaeda has inflicted on Yemen’s people— actions that probably did not require hacking into or attacking computers.[13] Governmentsponsored actions against terrorist web sites have occurred before,[14] but Secretary Clinton’s description of a State Department-led strategy that includes altering information on terrorist web sites potentially revealed a more open, coordinated, and forward-leaning U.S. approach to cyber counter-terrorism.

Global Transition to Internet Protocol Version 6

On June 6, 2012, the Internet Society—a global non-governmental organization dedicated

to promoting the open development and use of the Internet—sponsored the “World IPv6

Launch,” an effort to have major Internet service providers and web companies accelerate

the transition from Internet Protocol version 4 (“IPv4”) to Internet Protocol version 6

(“IPv6”).[15] Internet communications occur through the Transmission Control Protocol/Internet Protocol (“TCP/IP”) standard, which controls how data is organized,

addressed, transmitted, and received on the Internet. The “Internet Protocol” provides the

addressing system for sending information over the Internet. As with other Internet protocols, the non-governmental Internet Engineering Task Force (“IETF”) developed

IPv6.[16] Internet experts believe IPv6 is critical because growth in Internet usage has exhausted the number of addresses IPv4 had available (approximately 4.3 billion).[17] IPv6 increases the number of addresses to approximately 340 undecillion (or trillion, trillion, trillion), making exhaustion of addresses virtually impossible.[18] IPv6 will ensure that the Internet can handle growth in future use. Although IPv6 solves the Internet address problem, it has raised questions about its potential impact on cybersecurity, ranging from claims that IPv6 will provide greater online security and help law enforcement address cyber crimes[19] to concerns that IPv6 might benefit cyber criminals and governments seeking to repress political dissent.[20]

Internet Governance Controversy

In May 2012, controversy intensified about the December 2012 meeting of the ITU’s World Conference on Telecommunications (“WCIT”).[21] WCIT delegates will consider revising the International Telecommunication Regulations (“ITR”), a treaty adopted by ITU member states.[22] Some countries want significant changes to the ITR, including potentially expanding the ITU’s role with respect to Internet governance.[23] Moving in this direction would require shifting Internet governance from multi-stakeholder, non-governmental mechanisms, such as the Internet Society, IETF, and Internet Corporation for Assigned Names and Numbers (“ICANN”), to the inter-governmental ITU. The Obama administration, members of Congress, and stakeholders in the current governance system oppose attempts to centralize Internet governance in an inter-governmental forum for many reasons, including perceived threats from governance centralization to Internet innovation and freedom. The WCIT controversy represents the latest flare-up about Internet governance, with similar disagreements appearing during the ITU’s World Summit on the Information Society (2003-2005).[24]

Date: 2015-12-17; view: 767