Judging the civilian and environmental risks of cyber warfare

Judging the civilian and environmental risks of cyber warfare

How much of a threat do cyber attacks on industrial infrastructure pose to civilians and the environment? More to the point, how do we judge the environmental acceptability of new forms of warfare, or current practices for that matter? Doug Weir takes a look.

During our first legal workshop on toxic remnants of war in 2012, one attendee questioned how the legality of a cyber attack on an industrial facility that caused a damaging chemical release would be dealt with. In common with others present, we didn’t have a clear answer on this. Three years on and the hype bubble surrounding all things cyber is slowly throwing up some initial answers, although much delirium remains. It’s also throwing up some questions, not least of which is whether the international community is currently equipped to judge the environmental acceptability of new military practices.

Targeting industry the old fashioned way

Before considering the cyber dimension, it’s perhaps necessary to consider the more mundane interactions between conflict and potentially hazardous industrial infrastructure. Current and recent conflicts in Libya, Gaza and Ukraine have seen oil, chemical and power sites sabotaged and targeted; both deliberately – out of perceived tactical necessity, and inadvertently.

Conflict and instability may also create orphaned industrial sites containing hazardous materials and seriously degrade the capacity of states to monitor or address the health and environmental risks they pose, threatening Environmental Emergencies. Civilian access to abandoned or former sites is commonplace and the collapse of security can encourage looting and the reuse of industrial equipment.

Attacks on industrial sites, and the risks associated with them in post-conflict settings are a significant source of conflict pollution. Combine the weakness of international humanitarian law’s provisions for environmental protection with the military advantage claimed in justifying attacks and it seems likely that they will continue for the foreseeable future. But how might cyber warfare contribute to this?

Networked risks

Power plants, electrical grids, refineries and pipelines, transportation networks, water-treatment and distribution systems and a host of other critical industrial infrastructure rely on computer systems for their management. Such systems are a potential target for cyber warfare. Supervisory Control and Data Acquisition (SCADA) networks run processes over a large geographical area, while Distributed Control Systems (DCS) run processes in a single area, such as an individual plant. Gain access to and control over these and you can theoretically disrupt or shut down sites or networks, or damage them by introducing rogue commands.

A generalised SCADA system - cyber experts argue that they are insecure by design.
A generalised SCADA system – cyber experts argue that they are insecure by design.

The most notorious example of this was the Stuxnet worm, which targeted Iran’s nuclear facilities. Unusually, Stuxnet was both highly complex and extremely target-specific. It is thought that Stuxnet was tailored to disrupt and then damage a steam turbine in the Bushehr nuclear power plant and uranium enrichment cascades at Natanz, this was achieved by gaining control over two models of Siemens logic controllers. Stuxnet was unusual in its complexity but even more generic worms have caused problems, such as the Slammer worm, which shut down a monitoring system at an offline Ohio nuclear power plant in 2003. At the beginning of this month, the IAEA convened a conference on computer security for nuclear installations, finding that ‘regulation must address information technology systems, industrial control systems and physical protection systems used within the nuclear industry’.

While these examples relate to nuclear facilities, the widespread use of SCADA and DCS systems using proprietary soft and hardware in other sectors suggests that with sufficient determination and resourcefulness, states and to a lesser degree non-state actors could conduct cyber attacks against a range of industrial targets. There has been much debate over whether such attacks would constitute an act of war if they took place outside of an armed conflict, and yet more debate over the problems of attribution and how cyber could lower the threshold necessary to trigger armed conflict.

More pertinently, would such attacks create threats to public and environmental health? While non-specific attacks on industrial systems clearly have the potential to do so, examples to date suggest that the technical requirements for planning and delivering disruptive attacks with any degree of sophistication and efficacy require a reasonable level of target specificity. In comparison to current and recent conventional targeting policy, this suggests that cyber is currently unable to generate as much damage as more traditional approaches that utilise bombs, artillery and missiles. Whether that will remain true in the future is a matter of debate and will depend on how the cyber security arms race develops.

NATO’s air campaign in Serbia saw more than 100 industrial installations attacked, generating significant environmental pollution and threatening civilian health. Based on current state practice and examples from those attacks that have been made public, it’s hard to foresee a time where such a broad and environmentally disruptive campaign could be replicated with cyber alone. Nevertheless, serious damage to a single facility through a cyber attack could generate severe risks to civilians and, as with destruction through bombing, it is questionable whether these risks are being adequately considered in a way that balances civilian protection with military necessity.

On meaningless thresholds    

In the wake of the widespread and unsophisticated cyber attacks in Estonia in 2007, which were triggered by a decision to move a WWII Soviet war memorial, Tallinn persuaded NATO to establish a Cooperative Cyber Defence Centre of Excellence in Estonia. In 2013, the centre published the multi-year outcome of a group of experts convened to discuss the interaction of cyber with international law. The Tallinn Manual covers protection of the environment during conflict but predictably is hamstrung by the weakness of existing law and its nebulous widespread, long-term and severe provisions, requiring damage to be ‘exceptionally severe’ for a breach to occur. The review does note that the environmental impact of any planned attack should be considered in advance but without a realistic threshold for damage such consideration is largely meaningless.

The manual also considers cyber attacks on installations containing dangerous forces whose release could cause ‘severe losses’ among the civilian population. Attacks against such targets, for example nuclear power plants, are not proscribed but it suggests that particular care should be taken during the planning and conduct of operations, to avoid an environmentally awkward core meltdown for example. What constitutes severe civilian losses is to be ‘judged in good faith on the basis of objective elements’ such as proximity to population centres.

If the interpretation of the experts who developed the manual feels somewhat unsatisfactory, blame can be placed squarely on the dubious state of legal protection for the environment – and by extension its inhabitants – under current law. In its 2009 report on legal protection of the environment during conflict, UNEP lamented the lack of a fixed mechanism ‘to monitor legal infringements and address compensation claims for environmental damage sustained during international armed conflicts’. But perhaps such a fixed mechanism could serve another valuable purpose, it could create a vehicle that would ensure that states are forced to fully consider and understand the environmental impact of their military operations and tactics. To be effective this would require not only independent scrutiny but also an increase in the amount of data gathered in the field, certainly more than is made available at present.

While a mechanism tasked with considering strict liability and compensation would be a legal minefield, a mechanism that monitors damage and creates the space where the environmental impact of current and new developments in the field of armed conflict could be meaningfully scrutinised would be invaluable. This is perhaps more true of environmental concerns than many other fields, given the low priority the environment is currently afforded in war and elsewhere – in spite of its importance for civilian protection, post-conflict economic recovery and peacebuilding. In this respect cyber is perhaps a good example of an issue that could have serious implications for environmental protection during conflict, but where a simplistic interpretation through weak legal provisions does little to add to either public understanding, or to efforts to constrain or modify military behaviour.

Doug Weir manages the Toxic Remnants of War Project.

 

    Leave a Reply