Sunday, 11 March 2012

At what point do IT geeks become legitimate military targets?

 The authors attention was drawn today to a short article on the BBC discussing how a 19yr old had won a competition by GCHQ to provide the best form of online protection against the hacking threat.

 The emergence of Cyberspace as a new battleground has been widely predicted, and many good papers and books exist on the subject. The issue that has raised questions in the authors head is not on the importance of the UK being able to protect itself from the electronic threat, but more broadly how the current generation of computer literate individuals would be able to sit within the defence community as a whole. For those readers with an interest in such things, he would strongly commend a read of the UK Govt Cyber Security strategy paper at , which attempts to set out the UK Govts position on how it will meet the cyber threat.

 What is clear is that the cyber debate represents one of the most challenging future developments that could essentially be a paradigm shift in how security is provided. The move away from the reliance on the Government to provide security for the nation, and instead a realisation that national security is dependent on a hugely complex set of companies, organisations, and groups, and that the resources required to provide this defence are a truly national asset.

While there is unlikely to be a reduction in the requirement to use physical military force in future, it is increasingly clear that the cyber context will be seen as an integrated part of any major powers military and Governmental campaign. The work sits across a range of campaign areas, and Humphrey wanted to use this article to raise a couple of questions.

Is Cyber Security something that should sit within the J1-J9 framework, or has the time come to create a J10 division to handle these matters?

This author genuinely holds no view on this, but would welcome the views of others. For while we focus heavily on issues such as hard power, soft power and influence, it does feel that Cyber Security simultaneously feels as if it sits in all of these roles and none of them at the same time.

 One final question, more rhetorical than anything else, but which perhaps illustrates the complexity of this debate.

 During a military campaign, is it legitimate to kinetically target a building containing an internet cafĂ© full of civilian students, if those individuals are engaged in hostile acts of aggression against an opposing nation’s critical national infrastructure using cyber means? Do the unarmed civilian students represent a military threat, and how do the laws of war extend to acts involving cyber offence & defence?

Humphrey suspects there is no clear answer to either question, but feels it would make a fascinating debate - where is the line drawn for cyber purposes. Is Cyberspace to be treated as a virtual battleground for targeting purposes, or do the physical facilities and people involved in the process count as legitimate targets for a military operation?


  1. I always find peoples obsession with "legitimate targets" fascinating.
    Although I doubt anyone who could would bother hitting an internet cafe, it would be far easier to cut the communications links on a grander scale, exchanges, trunk lines, even border crossings.

  2. Cyber defence is business as usual, good old service management. Wrapping it up as cyber is polishing the turd to attract (much needed) money. Other cyber activities do need more consideration, but as part of effects based warfare should remain a component of J3s toolbox.


  3. With regard to your second question - I suspect the Laws of Armed Conflict will be re-written to include the deployment of offensive Cyber capabilities. Despite what has recently been written regarding Cyber weapons being strategic tools of fine precision, it is clear their employment, particularly against critical national infrastructure would threaten life and consequently if it were possible to identify and target the orchestrators of such an attack they would be legitimate targets - to my mind. The problem is this domain so difficult to see clearly, obfuscation is everything and nothing is what is seems - all to easy for a nation state to use proxies to deliver a cyber weapon without their even knowing. Interesting times.


  4. This is one sided. How about business travelers outside the legal wall? Say inside China. Look at the Chinese activity and the actions and recommendations for people visiting China. If business depends on travel and the protection outside the wall is limp-wristed then the cash flow is going to dribble. It's the same for ongoing attacks on IP. If tech is copied and sold things can do downhill. Doesn't have to be swiped off a inside-the-wall computer, just copied from tech sold outside.

  5. Cyber defence is business as usual, good old service management.

    BCP 38 for the win!

    Further, I would argue that offensive "cyberwar" makes as much sense for us as maritime piracy, kinetic ASAT, or suicide bombers. We benefit enormously from free passage over the information commons, rather like we do from free passage over the sea and through Earth orbit.

    At the margin, operations of "cyberwar" become indistinguishable from the activities of (say) Syrian secret police hunting down and torturing bloggers.

    We would do better to concentrate on protecting targets and after-the-fact clean-up (respectively, information security and CERT) on the one hand, and exploiting the information commons on the other.

    If you have an SSN cut the Telecom Italia Sparkle/Seabone cable into Syria, they can't get the BBC or Al Jazeera (and their correspondents struggle to get reporting out), and are left with enemy propaganda. Pro-regime cyber attackers are as likely to use several hundred unpatched Windows PCs in the suburbs of Copenhagen as they are to do anything from their home country.

  6. Some very interesting comments there - it seems to me that we are in a very grey area with the principle of cyberwarfare. While to some, the deliberate targeting of people engaged in hostile acts seems legitimate, at present it feels as if the laws of armed conflict distinguish between teenage geeks, and teenage geeks in uniform - despite them both being able to have the same damaging effect on opponents infrastructures.

    How would the media treat an attack on a cybercafe, which it had been believed was a legitimate target for its cyberwarfare actions, when the result was many dead people.

    The difficulty of cyberwar is that it blurs the edges - conflict has gone from being a distinct phenomenon, often conducted in clearly defined areas, to something in which the homefront is now potentially the frontline for offensvie actions, even when it is not necessarily under attack, or potentially even in a nation formally engaged in hostile acts against another (3rd party interests or hackers could try to conduct sympathetic acts of support) - Cleary a difficult area, and one that may see much more debate in the future.

  7. Someone could update the Hague and Geneva Conventions.

    The Terrorism Act 2006 is used in the UK, could it not be modified to include cyber warfare.

    Cyber warfare from a foreign country is more the province of James Bond and his gang, and so we the general public don't need to know about such things.